W32/Agobot-JT is a backdoor worm which runs in the background as a
system process and allows unauthorised remote access to the computer.
The worm copies itself to the Windows system folder as NAVAPSVC.EXE and adds entries to the registry at
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
to run itself on system restart.
W32/Agobot-JT may also add a number of registry entries at:
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_VIDEO_LINE
HKLM\SYSTEM\ControlSet001\Services\Video line
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VIDEO_LINE
HKLM\SYSTEM\CurrentControlSet\Services\Video line
Each time W32/Agobot-JT is run it attempts to connect to a remote IRC server
and join a specific channel.
W32/Agobot-JT may also collect system information and registration keys of
software that is installed on the computer.